Humans were at the very heart of reflections at the International Cybersecurity Forum (FIC 2020) - a three day event, which welcomed over 12,000 participants and 450 exhibitors, held in Lille, France, last week.
Coincidentally, the conference took place in the same week which saw the UK officially leave the EU. In a world which might currently feel divisive and fractured, the cyber security industry is putting on a refreshingly united front. The ethos of “togetherness” chimed loudly at FIC 2020.
Talks and roundtables covered a whole range of topics, including the future of 5G technology, automation, election hacking, and cyber diplomacy.
AI and ethics
One of the most fascinating plenaries was entitled, “Cyber security and Artificial Intelligence: a love-hate relationship ”. When it comes to warfare, it is no secret that some nation states believe that the faster AI develops, the more powerful they will be on the battlefield. Views expressed on this panel seemed comparatively measured - ethics come first - even if it hinders the advancement of technology.
Oh and apparently we can forget about “Killer Robots” taking over the planet...at least, for now. Shujun Li, Professor of Cyber Security, University of Kent, reassured us that AI won’t be outpacing humans any time soon (at least not in the next 20-50 years). Humans will be very much involved in the evolution of AI and there is still a long way to go in understanding ethics, social responsibility, privacy and the legal aspects of AI in this debate.
Hack me if you can
“Social Engineering: hack me if you can” was another excellent panel discussion. One of the speakers, Deanna Caputo, a behavioral scientist in MITRE's Social, Behavioral, and Linguistic Sciences Department, insists that we need to stop talking about the “errors” that humans make. The longer we use negative language, the longer it will take to solve the problem. We must, instead, empower people.
Deeana is a firm believer that human behaviour can change. Instilled within us all is the “flight/fight” response to danger. We need to empower people to fight, but instead we surround them with fear and they choose flight.
It was interesting to hear about methods employed by social engineer & SocialProof Security CEO, Rachel Tobac. Instead of using fear to emulate hackers' tactics...she employs charm. She will either fabricate a situation where she is helping you, or you are helping her - as a means to break down barriers and establish trust. If you didn’t watch this CNN report last year, do watch it for an insight into how she operates.
Rachel’s advice to dodge the criminals? Be politely paranoid. No need to abandon social media - but don’t tag each photo with its geolocation. Less information is more. Defcon Founder, Jeff Moss, rates the “four eyes/two person rule” - get two people involved when checking suspicious links/emails...ideally of different genders. Two people looking at the same problem will always be more effective.
Jeff also said that often he plays for time, if he is unsure of the identity of whom he’s interacting with - he’ll ask the person if he can call them back. Anyone legitimate would allow that. Point being - if you are interfering with the fraudster’s plans - they won’t like it and their uneasy reaction will be a warning sign.
Ex Anonymous hacker, Jake Davis
I very much enjoyed chatting with Jake Davis, of Anonymous and Lulzsec fame, who echoed author Shoshana Zuboff's thoughts (The Age of Surveillance Capitalism): “We are moving into a world of advanced social engineering and psychological sovereignty; we are being rendered into profit as humans.”
He believes that there's generally too much onus on the end user. “We can’t tell everyone in the world to act like a spy, “ he says, “it’s up to the people who design things to make them secure.”
“We go around training people for weeks on what links to click and what not to click - but links are designed to be clicked. So we are asking people to not use this design principle we’ve created...they're having to juggle too much in their heads - and once there's too much to juggle - they just ignore it - because humans follow the path of least resistance.”
His advice is to think critically about the internet, but don’t distrust it entirely otherwise you’ll live in a world of paranoia.
When you’re typing something or giving away information, Jake suggests asking yourself the following questions: Where is this going? Where is this likely to go in the future? To whom might it go? Does this company really need my real DOB? It’s about preemptive, future-proofing damage control.
“Security and data privacy has become a trend for companies,” he states. Echoing the theme of FIC 2020, “the trick we are missing is not investing in people”. When it comes to cyber security, he adds, the real problem is “bad asset management”, citing the recent Travelex episode as an example. Investing time to understand the essence of who you are, how you operate and what parts of yourself are portrayed on the internet publicly is worth the effort.
Simplicity is also important, don’t over-complicate things. Jake thinks that you don’t need expensive, advanced solutions. “What you need is to understand how you handle users’ information and encrypt it properly,” he advises. It is even refreshing for the mind, he says, to know where things are; “no one likes a messy room”.
Redonnons notre confiance en l’humanité!